download:

WWVISIT.rar

Full analysis: https://app.any.run/tasks/0e757b87-2c10-4499-9ebc-8088d452537f
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: June 27, 2022, 11:55:17
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

4A7A104DA0C55BABBF7FADBE02C72B97

SHA1:

75A2F09EEED9F9A3C3D34E1906DD47DDB0A57DE1

SHA256:

BE844BC0714032C40E0DB886EAB6CE15BB50C76B94B7E531D32EE82A53169473

SSDEEP:

196608:+pggWu+Yl7IZQYkVqHGxmijljb9OHr6Dyq+WH6Ghefn9nToiUnlYqzZbVOg4J5lZ:+pquSOY+qmg+K6eTBQlYku

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops executable file immediately after starts

      • WinRAR.exe (PID: 4080)

    • Loads dropped or rewritten executable

      • WWVISIT.exe (PID: 3260)

    • Application was dropped or rewritten from another process

      • WWVISIT.exe (PID: 3260)

  • SUSPICIOUS

    • Reads the computer name

      • WWVISIT.exe (PID: 3260)
      • WinRAR.exe (PID: 4080)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 4080)

    • Checks supported languages

      • WinRAR.exe (PID: 4080)
      • WWVISIT.exe (PID: 3260)

    • Drops a file with a compile date too recent

      • WinRAR.exe (PID: 4080)

  • INFO

    • Dropped object may contain Bitcoin addresses

      • WinRAR.exe (PID: 4080)

    • Reads settings of System Certificates

      • WWVISIT.exe (PID: 3260)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
34
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start winrar.exe wwvisit.exe

Process information

PID
CMD
Path
Indicators
Parent process
3260"C:\Users\admin\AppData\Local\Temp\Rar$EXa4080.9893\WWVISIT\WWVISIT.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa4080.9893\WWVISIT\WWVISIT.exe
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa4080.9893\wwvisit\wwvisit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\users\admin\appdata\local\temp\rar$exa4080.9893\wwvisit\qt5widgets.dll
4080"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\WWVISIT.rar"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
Total events
3 496
Read events
3 478
Write events
18
Delete events
0

Modification events

(PID) Process:(4080) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(4080) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(4080) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(4080) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(4080) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(4080) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\WWVISIT.rar
(PID) Process:(4080) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(4080) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(4080) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(4080) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
28
Suspicious files
1
Text files
3
Unknown types
15

Dropped files

PID
Process
Filename
Type
4080WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa4080.9893\WWVISIT\data\project.xmlxml
MD5:
SHA256:
4080WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa4080.9893\WWVISIT\imageformats\qtiff.dllexecutable
MD5:756D047A93D72771578286E621585ED2
SHA256:F9EBF4C98C1E0179CD76A1985386928FDB9E6F459E2238ED5530D160DF4F0923
4080WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa4080.9893\WWVISIT\imageformats\qjpeg.dllexecutable
MD5:3232706A63E7CDF217B8ED674179706C
SHA256:45C1F50C922AC1D9D4108E37F49981FD94F997667E23085CB2EA226D406C5602
4080WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa4080.9893\WWVISIT\data\remote_settings.initext
MD5:6C8B0641D4D019DA8F99339DE19DA7CA
SHA256:78EFB7D5F66CCE1C0DE86A764BC48450B929DF61849280B861FB0DB2128B2A37
4080WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa4080.9893\WWVISIT\iconengines\qsvgicon.dllexecutable
MD5:90BB882A4B5E3427F328259530AA1B3B
SHA256:B2B420AA1805D8B5DC15CCB74DD664D10BD6BA422743F5043A557A701C8A1778
4080WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa4080.9893\WWVISIT\imageformats\qgif.dllexecutable
MD5:C108D79D7C85786F33F85041445F519F
SHA256:D5459A707922DD2BF50114CC6718965173EE5B0F67DEB05E933556150CFDD9D1
4080WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa4080.9893\WWVISIT\imageformats\qicns.dllexecutable
MD5:52C6978203CA20BEEAD6E8872E80D39F
SHA256:E665F3519309BAE42E0E62F459ECC511701DDDDF94599EBFD213D0A71775C462
4080WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa4080.9893\WWVISIT\imageformats\qwbmp.dllexecutable
MD5:131A58669BE7B3850C46D8E841DA5D4E
SHA256:043F3ACF1DC4F4780721DF106046C597262D7344C4B4894E0BE55858B9FAD00E
4080WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa4080.9893\WWVISIT\imageformats\qsvg.dllexecutable
MD5:2831B334B8EDF842CE273B3DD0ACE1F8
SHA256:6BAE9AF6A7790FBDEE87B7EFA53D31D8AFF0AB49BDAAEFD3FB87A8CC7D4E8A90
4080WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa4080.9893\WWVISIT\imageformats\qwebp.dllexecutable
MD5:F859ECC883476FE2C649CEFBBD7E6F94
SHA256:B057C49C23C6EBE92E377B573723D9B349A6EDE50CFD3B86573B565BF4A2AE0B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
1
Threats
5

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3260
WWVISIT.exe
51.38.126.82:443
bablosoft.com
GB
suspicious

DNS requests

Domain
IP
Reputation
bablosoft.com
  • 51.38.126.82
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO Bablosoft BAS Related Domain in DNS Lookup (bablosoft .com)
Potentially Bad Traffic
ET TROJAN Observed DNS Query to bablosoft Domain (bablosoft .com)
3260
WWVISIT.exe
Potentially Bad Traffic
ET INFO Observed Bablosoft BAS Related SSL Cert (bablosoft .com)
3260
WWVISIT.exe
Potentially Bad Traffic
ET INFO Observed Bablosoft BAS Related SSL Cert (bablosoft .com)
3260
WWVISIT.exe
Potentially Bad Traffic
ET INFO Observed Bablosoft BAS Related SSL Cert (bablosoft .com)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
WWVISIT.rar